Stats

Outsourcing

July 01, 2014

Having empurpled with rage the kisser of a regulatory agency, I'd like to turn now to offending attorneys for various bank vendors who seem to take to personify the quality of some lawyers that business clients love to hate: we're "deal killers."

Actually, some of us are.

A case in point: a large financial institution sends out an RFP to solicit vendors to sell their services to the bank related toi a line of business that the bank is pursuing. There's a great deal of money to be made, so you would expect that the vendors who want to bid on the work would put on their best "smiley face" and also put their best foot forward. You would also think that they'd want to avoid offending the object of their affection by committing a faux pas akin to, while curtsying to the Queen of England, breaking wind with the force and sound of a watermelon hitting the sidewalk after a 10-story drop.

The initial contract that's customarily involved in a bank's RFP process is a mutual nondisclosure and confidentiality agreement, almost always drafted on the bank's standard form. Most vendors who are serious about bidding either merely review the agreement to ensure that they're not selling their children to an Eastern European white slave ring, then sign it, or request changes where there is a critical legitimate concern with a provision. Seldom will a bidder who seriously wishes to make a good first impression turn the nondisclosure agreement over to the equivalent of a first-year law student who's intent on spotting issues in order to make his contracts professor proud.

Then, you have the bidder who's counsel revised an entire paragraph on the first page of the nondisclosure agreement to change nothing of substance, only to re-designate clauses labeled "(i)", "(ii)," and "(iii)" to "(a)," "(b)," and "(c)." This is correct from a formatting standpoint, but in the grand scheme of things, so unimportant an issue to raise that it rings a bell as loud as Big Ben at the stoke of midnight.

The responsible bank officer ponders, "If this is how they act when they are romancing me, how will they behave like when they have had their way with me? How long will it take, and what will it cost me, to negotiate the vendor agreement if I select this navel gazer and picker of sub-atomic nits?"

Snatching defeat from the jaws of victory: it's a talent.

"[T]here are millions of people out there, just like you and me, with their thumb on the self-destruct button."--Etienne de L'Amour.

May 12, 2014

Notwithstanding the insistence of some inside and outside the federal regulatory agencies that regulatory "guidance" is not "mandatory," the cautious banker knows better. The headline in today's American Banker (paid subscription required) screamed, "Risk-Scoring Mandate Pushes Banks to Rethink Vendor Choices."

The word "mandate" may be thought a tad strong by some, and downright wrong by others. After all, the article referred primarily to OCC Bulletin 2013-29, which is officially merely guidance. However, as we've asserted repeatedly on this rag, a bank that doesn't treat guidance as mandatory is a bank with a strong streak of masochism.

The specific alleged "mandate" that reporter Penny Crossman is that banks "risk score" their vendors.

What regulators have been asking in their latest round of vendor management guidance is a far more detailed scrutiny of vendors: of their financial stability, debt, revenue, profitability, their cost structure, and product strategy, among other things.

In the past, a large, well-known vendor may have been a safe choice, but regulators are now saying it's no longer enough to choose a vendor because it's a market leader. They want to be presented with a scorecard that lets them review how banks evaluate their vendors in a consistent way.

"The regulators are forcing banks to sit down and say 'what if. if this vendor goes away, what are the risks to you?'" says Lawrence Kaplan, of counsel at the Washington, D.C., law firm Paul Hastings.

Along those lines, Bulletin 2013-29 also specifically provides that a long-standing relationship with a vendor does not negate the requirement that the bank do the "required" due diligence and evaluation on that vendor as it would on any comparable vendor, and make certain that it engages in ongoing monitoring of that vendor in an objective fashion. Familiarity shall not breed comfort, is apparently the regulators' motto.

As Crossman points out, there's no one-size-fits-all risk scoring model. I've seen several, any one of which appeared to do the trick. However, it appears that some sort of numerical risk-scoring is becoming the rule rather than the exception for banks.

The regulators haven't even explicitly said banks must assign each vendor a numerical score, though they have implied it.

"Unfortunately a score for each vendor is an unstated expectation," says Paul Reymann, a partner at McGovern Smith Advisors in Washington.

[...]

"Examiners want to know how you went through that methodology," Reymann says. "How you measure that could be with numbers, 0 to 100, or red, yellow and green indicators."

Among the factors that could be included in such a model, the article mentions financial viability, ownership, scalability (ability to grow with the bank), concentration risk (vendor failure affecting a large number of banks), and compliance risk (can you say "online tribal payday lending? I knew that you could!"). Those are only a few. Consultant Walter Taylor has come up with a list of 30 of them. Obviously, the risk assessment becomes more important as the vendor becomes more "critical" to the bank, but the basic risk scoring ought to be done on all vendors to justify to examiners how you rated the vendor and why you made the decision to retain them (if you did).

A couple of quotes struck home, because they mirror my own experiences.

It's not that you can't use a startup, but the management of the bank will have to justify it to the board, which will have to justify to the regulators why they're using Larry's ATM Machines rather than Diebold," Kaplan says. "What benefit do we get out of that and why are we better off, other than price? It's going to be a critical issue."

[...]

"If you've got three people in a garage doing some type of real-time processing for you with deposits or credit cards, that's crazy," Taylor says."

It's not pretty when the bank officer's buddies, who, literally, are three guys in a garage (with a heck of a neat software code they've developed), have their spare balance sheet and income statement reviewed by the green eye-shades on the vendor oversight committee, who respond with a variation of "You're kidding us, right?"

With all the other stuff banks have to worry about, vendor management may seem like it ought to be small potatoes. It's not. If you treat it that way, you'll dodge the bullet for awhile, right up until the instant it carves a canoe in your skull. Vendor management is serious business these days. Take it seriously.

April 17, 2014

The Comptroller of the Currency Thomas Curry gave a speech the other day (paid subscription required), and emphasized a couple of points that vendor management folks at financial institutions with various charters--state and federal, bank and credit union--and the lawyers who represent them, would be wise to heed.

Comptroller of the Currency Thomas Curry said his agency is increasingly concerned about the cybersecurity risks from banks relying too much on certain vendors and using service providers in foreign countries.

Banks can end up becoming dependent on certain vendors because of consolidation in the service provider industry, Curry said in his prepared remarks for the Consumer Electronics Show's Government Summit in Washington. They can also be exposed to risks when they assign critical functions to outside vendors, including those that use foreign-based subcontractors.

"Banks need to consider the legal and regulatory implications of where their data is stored or transmitted, and make a determination as to whether geographic limitations are needed in their contracts," Curry said. "Finally — and perhaps most importantly — we are concerned about the access third parties have to large amounts of sensitive bank or customer data."

Here are a few take-aways:

First, cybersecurity due diligence of your vendor assumes critical importance when that vendor has access to customer data and other sensitive information of the institution. Access to sensitive information ought to make that vendor a "critical" vendor regardless of the dollar "value" of the contract. The institution needs to be able to document that it examined the information security procedures and systems and found that they met industry standards.

Second, the provisions of the agreement between the institution and such vendors on confidentiality and information security need to be "robust." This is especially critical when one or a couple of vendors of the institution have access to a lion's share of sensitive data. Read OCC Bulletin 2013-29, FFIEC's handbooks on the outsourcing of technology services, and other regulatory guidance. Make sure you know what contractual assurances you need and then make sure they're in the agreement.

Third, the financial institution needs to monitor the compliance of these vendors with information security safeguards throughout the life of the relationship. If a critical vendor's not providing an annual SASE 16 audit report of an appropriate type (SOC 1 vs. SOC 2), and not addressing problems raised by such annual reviews, you've got a problem.

"We expect the board and management to ensure that appropriate risk management practices are in place, that clear accountability for day-to-day management of these relationships is established, and that independent reviews of these relationships will be conducted periodically," Curry said in his remarks Wednesday.

That's a red flag, no?

Fourth, you need to read between the lines of what Curry's saying about "certain vendors." Pay attention to what's happening in the marketplace. If an article appears in the press that notes problems with a critical vendor, investigate and assure your self that any problems are being addressed. Review the web sites of the regulators for enforcement actions, and pay attention to what you find if a vendor is the subject. Pay attention to your own due diligence. If you gather necessary information but don't act upon it appropriately, your regulator will not be pleased.

Fifth, foreign subcontractors have become a "hot button" concern. I would recommend that in your vendor agreements with critical vendors you have adequate restrictions on the use of subcontractors. Among those restrictions ought to be that the use of a non-US based subcontractor requires your prior written consent. I represent banks that would never consent, but that's a story for another day.

If the vendor pushes back, that vendor ought to be a cause for grave concern. They're not doing you a favor by selling you their technology, although a few of the larger ones act that way, especially if you're a smaller institution. These concerns are regulatory concerns, matters of safety and soundness. If the vendor is large and representing a number of financial institutions, none of these issues should come as surprise to them. If you have concerns about a vendor, give your federal regulator a call and tell him or her about those concerns. As Curry makes clear, your regulator will be interested. Very interested.

April 10, 2014

The ICBA is starting to gag on Operation Choke Point. Before it and its members pass out from lack of oxygen, it's demanding that the Department of Justice loosen its grip on the windpipes of its members.

In a letter Tuesday to the DOJ, Independent Community Bankers of America president Camden Fine argues that the investigation known as Operation Choke Point has an overly broad scope and is hurting community banks' ability to compete with their larger peers.

[...]

[T]he ICBA letter suggests that the Justice Department is singling out smaller banks. "The indiscriminate targeting of community banks offering these services also places community banks at a competitive disadvantage with large banks," Fine writes.

The only lawsuit filed so far as part of Operation Choke Point was brought against a small bank in North Carolina, but large banks have also gotten subpoenas, according to sources.

As the linked article points out, huge banks have received investigative inquiries, but only a little bank has had an actual enforcement action taken against it. Bullies always start out with the smallest member of the group, hoping to intimidate those who might actually be able to fight back to be intimidated.

As the article also discusses, the complaints of the ICBA mirror those previously made by the ABA. Unlike the ABA, however, the ICBA's complaint includes the fact that community banks are being singled out for the harshest treatment. That distinction makes sense, inasmuch as the ICBA focuses on smaller banks, while the ABA leans more toward the interests of the bigger banks.

Both trade groups, however, make the very valid point that law enforcement authorities, and bank regulators, would do a lot less damage to banks and legitimate payment processors if, instead of beating up the banks they regulate, they went after the "bad guys" among the payment processors. If they did so, they might alleviate concerns of many that what the folks at the top are after is not a few bad apples, but entire industries engaged in perfectly legal businesses that "the enforcers" find "distasteful."

June 16, 2013

A few weeks ago, the American Bankers ran a story about how community banks were hiring outside consultants to negotiate major IT contracts with vendors.

Hiring consultants, including those who once worked at tech vendors,
can make a difference, industry observers say. Vendors have an advantage
because they are constantly negotiating deals, while bankers only visit
the issue every few years, says Greg Schratwieser, president and CEO of
International Consulting.

Paladin [an IT consulting firm] collects data tied to the
processing contracts of financial institutions with less than $5 billion
of assets. It then uses its database to determine whether a bank is
overpaying for its services.

Not surprisingly, some IT service providers aren't happy to see the "hagglers" appear on the scene. My response would be "Tough." Then again, some IT service providers go with the flow.

Despite the head-to-head competition, consultants and core processors
have a good relationship, says Stephen Ward, senior vice president of
the global sales organization at Fiserv.

The presence of a third-party negotiator shows that a bank is serious
about the contract, and it "instills a process that has a start time
and end time," he says.

"If the bank is paying for that service, it is more likely to follow the timetable," Ward adds.

Spoken like a man who, when handed lemons, can whip up a gallon of tasty lemonade in no time flat.

Nowhere in the article is made the very important point that the consultant is only one member (albeit, a potentially valuable member) of the financial institution's negotiating team. Another critical player is the bank's IT counsel. The consultants who are described in the article are focused on the business terms, including pricing, add-on services, and term. Knowledgeable lawyers would be focused on other issues, such as legal risk allocation, including warranties, remedies, limitations, disclaimers, and indemnifications. As OCC Bulletin 2001-47 states, concerning risk assessment:

The risk assessment phase should include the identification of
performance criteria, internal controls, reporting needs, and
contractual requirements. Internal auditors, compliance officers, and
legal counsel could help to analyze the risks associated with the
third-party relationship and to establish the necessary control and
reporting structures.

There is also contained in that bulletin and other guidance issued by the federal banking regulators, a laundry list of contract issues that should be considered and negotiated in third party service agreements. Again, input from legal and other areas of the bank is advisable to ensure that these issues are properly assessed and addressed in the written agreement between the bank and the service provider.

Hagglers may be a valuable add-on to the bank's other resources, but they're not the only necessary player on the evaluation and negotiation team of a financial institution's technology service agreement.

February 24, 2013

Last year, in 46% of the FDIC IT examinations in which bank
ratings were downgraded, inadequate vendor management was cited as a causal
factor, says Donald Saxinger, senior examination specialist in FDIC's
Technology Supervision Branch.

"I'm not saying it was the primal causal factor, but,
in 46% of the downgrades, vendor management was cited," Saxinger says. He
spoke during the recent ABA Telephone Briefing "Vendor management: Unlocking
the value beyond regulatory compliance."

Although the most common “error” that FDIC examiners
discovered was the failure by banks to ask their vendors for copies of
regulatory examinations, that wasn’t the only nugget contained in the linked
article from the ABA Banking Journal. Among the others:

• Vendor management needs to consider all service providers
that hold sensitive customer information, not just IT vendors. These include
loan workout consulting, appraisal review companies, outside attorneys, and
others.

• Make sure to get the proper exam reports about individual
vendors. Some banks just obtain reports for the host data center, but not for the
specific application that the banks were using.

• Even the proper reports don't cover everything that a bank must consider in its security risk management efforts. For example, one service provider with an otherwise clean report did not have an internal audit program and its business continuity
planning was poorly documented.

This is all sound advice, of course, but knowing what you need to ask for is only half the battle. You also need to make certain that the agreement with your vendor gives the bank the right to ask for, and the vendor the obligation to deliver to the bank, copies of the necessary reports. Relying on the goodwill of the vendor in coughing up examination and audit reports, especially when they may contain results that are less than flattering to the vendor, is "unwise."

Here's one more tip: if the report reveals problems, the agreement with the vendor should require the vendor to notify the bank of what action the vendor intends to take to remedy the defects, and should also require the vendor to give the bank periodic progress reports on its progress in correcting those problems.

I'll be doing a webinar on March 6, 2013 on the topic "Technology
Service Agreements: Meeting Regulator’s Expectations." It covers regulatory guidance applicable to credit unions, banks, and thrifts, although the same essential principles apply to each. The goal is to discuss the provisions of a technology service agreement that regulators expect (and that sound business judgment requires) be included, and to give financial institutions guidance on how to approach the issues covered by each of those provisions so that the institution meets its regulator's expectations while also meeting the institution's business needs.

February 03, 2013

Internet security guru Brian Krebs had an excellent post a few weeks ago about much of the attention on cyberheists may be focused on the security vulnerabilities of small banks and their business customers, the large banks are playing a large role in small banks' losses.

A $170,000 cyberheist last month against an Illinois nursing home
provider starkly illustrates how large financial institutions are being
leveraged to target security weaknesses at small to regional banks and
credit unions.

I have written about more than 80 organizations
that were victims of cyberheists, and a few recurring themes have
emerged from nearly all of these breaches. First, a majority of the
victim organizations banked at smaller institutions. Second, virtually
all of the money mules — willing or unwitting individuals recruited to
help launder the stolen funds — used accounts at the top five largest
U.S. banks.

Krebs responds to a question often asked of him, whether it's safer for a business to bank with a large bank rather than a small bank, by asserting that it's a difficult question to answer "because banking online remains a legally and financially risky affair
for any business, regardless of which bank it uses"

Businesses do not
enjoy the same fraud protections as consumers; if a Trojan lets the bad
guys siphon an organization’s online accounts, that victim organization
is legally responsible for the loss. The financial institution may
decide to reimburse the victim for some or all of the costs of the
fraud, but that is entirely up to the bank.

That's right. Regulation E does not apply to business customers. That's something that sometimes comes as a shock to small business customers, especially those who were too cheap to hire legal counsel to review the account and other online banking agreements before they were signed. "Forewarned is forearmed" is an old adage with a lot of wisdom behind it. It's not that banks will negotiate the terms of their agreements (most of them will not, especially with small customers), but that customers who understand their legal position going into the relationship are more likely to be concerned about doing due diligence on the bank's security procedures and track record and considering other methods to lessen and cover their risks (I've seen a few who suddenly realize that having a PC dedicated solely to online banking transactions and no other activities is not such a waste of money, after all).

Krebs also points out that since larger banks are more likely to have the resources to settle even large losses to avoid the reputational risk of cyberheists, it may be difficult to know how many instances of loss occur. However, it's reasonable to assume that the large banks spend a lot more money and person-power on security measures than do small banks.

Wearing my cyberthief glasses, if I’m looking at a huge pile of data
stolen from thousands of victims, I’m probably more apt to target
victims at smaller banks based on one simple assumption: Because I’m
going to have a much higher success rate than I would targeting
customers of larger institutions.

Krebs takes a shot at technology service providers who service many of the smaller banks for not doing more to secure online banking transactions.

Case in point: Optimumbank’s service provider is Fiserv, one of the largest banking industry service providers. According to Fiserv’s site,
at least 52 percent of the nation’s $19 billion in ACH payments are
processed using Fiserv software. If this is true, one might think that
Fiserv’s systems handled about half of the mule transfers that were sent
from Niles Nursing’s hacked bank account.

But according to Murray Walton, Fiserv’s chief risk officer, the software that most of its customer banks run — called PEP+ –
is a client solution that does not interact with the company’s data
centers. He said while Fiserv does offer an antifraud solution called FraudNet, that tool is designed for online bill pay services that banks can use to detect fraud patterns on consumer accounts.

“There are vendors who can knit it all together for banks, but that
isn’t what we do,” Walton said in an interview. “For various and sundry
reasons we don’t offer an engine that does the same thing as [an
anti-fraud provider like] Guardian Analytics. Realistically, the client
and end-user have responsibilities that they can’t abdicate to us.
Everyone in this needs to take it seriously and not think that someone
else has their back.”

I understand Walton's point, but on the other hand, a small bank's takeaway from those three paragraphs might be "Fiserv doesn't have your back, so look elsewhere." A competing core platform and processing vendor that "does have your back" might have a tag line to use.

Large banks are also lambasted for allowing so many "mule accounts" to be established.

As it stands, the big banks don’t have an incentive to police new
accounts for mule activity, because it’s generally not their customers
who are getting robbed from this activity, said Avivah Litan, a fraud analyst with Gartner Inc.

“The bad guys shouldn’t be able to set up these mule accounts in the
first place,” Litan said. “The bigger banks are not doing a good job of
screening for this activity because they’re not the ones eating the
fraud on these attacks on smaller bank customers. [The bank service
providers] should be spending more money. And the regulators should be
coming down on them harder.”

Krebs suggests that, perhaps, "small, regional and local banks can pool their clout and resources to extract more from service providers than what those companies are
currently offering." Fat chance. Several years ago, some of the largest users of technology services in the country made a concerted effort to get giant service providers to take more contractual responsibility for the performance, and vulnerabilities, of their technology. It fell flat. Unless the bank regulatory agencies intervene directly with the service providers, they'll continue to do what they do best: collect fees and deny liability.

As for watching your own back as it applies to business customers, Krebs offers some good suggestions, among them:

Shop around for banks until you find one that assures you that it uses layered security.

Use "Positive Pay" if your bank offers it because it not only deters check fraud but other unauthorized transfers, online and off (I heartily concur).

Use Live CD to temporarily covert your PC from Microsoft to Linux for doing online banking transactions.

August 07, 2011

Vendor management has been a topic this blog has been gassing about since its earliest days. You'd think that by now, the subject would be "old hat." Unfortunately for bankers who fell asleep at the vendor management wheel, it's an evergreen source of regulatory sanctions.

The immediate cause of this rising concern might be the loan servicing debacle that's made so many bad headlines for bumbling loan servicers, many of them the nation's largest too-big-to-fail banks. Unfortunately, it's raised a red flag with bank regulators, a flag that's likely to have examiners parsing the nuances of the vendor management programs of banks both large and small. As consultant Eric Holmquist warns, the topic is likely to be "one of the top items of focus this year when it comes to risk governance." Just what overburdened community bankers needed to hear, eh?

Other observers offer up the idea that community banks ought to take this increased scrutiny as an opportunity to save themselves some money.

Third party costs, separate from payroll, are among the heaviest for community banks, averaging 30% to 40% of non-interest expense. That presents opportunities for cost-cutting and improved efficiencies. With the economy still struggling, vendors may be willing to negotiate with you on price to hang on to your business as tough times continue.

“This is about taking the opportunity, which has been created by some regulatory requirements, to get back to some sound business practices,” says Paroon Chadha, co-founder and vice president of Passageways, an Indiana firm that provides vendor management and other services to credit unions and community banks. “If you can improve performance for 40% of your spending, that is easily the most underutilized opportunity you have in your playbook.”

“Most institutions are focused on ensuring that they meet regulatory guidelines. It boils down to a compliance activity,” says Rock Carter, chief executive of Credit Union Vendor Management, a Colorado-based firm that provides vendor management services to credit unions. “There is a hard dollar advantage to managing vendor relationships in a way that goes beyond the minimum to meet regulatory guidelines.”

“When you manage that vendor … you will often see these results in terms of enhanced service levels,” Carter says. “If you are on auto pilot, you are not going to see that the commitments made at sales time have gone unfulfilled.”

One of our clients is currently employing the services of a consulting firm to scour all of its third party vendor arrangements for cost savings and other areas of "improvement." Such consultants retain a percentage of the cost savings, so they're incentivized to maximize the reduction of expenses. Vendors hate to see those guys walking in the door, but life is tough all over these days, so they learn to live with it.

If you've got to live with the lemon of more regulatory scrutiny, you might as well use the occasion to try to make some lemonade.

December 09, 2010

Last year, we detailed Colorado's "crisis" with respect to the "deactiviation" of mortgage brokerage licenses in that state because so many of the brokers couldn't pass a basic skills test. Colorado wasn't alone, inasmuch as previous posts over the last few years have related similar problems in Texas and Washington.

We learned yesterday that Florida is having its own mortgage broker fallout problem, but in the Sunshine State's case it's not due to dummies failing a test but because they haven't bothered to apply for a license under the new stringent licensing requirements mandated by the S.A.F.E. Act.

Less than 25 percent of mortgage industry professionals in Florida have submitted an application to the state to obtain licensing under new guidelines that will be implemented on January 1. With less than a month to go before more stringent requirements take effect, the state is now concerned that mortgage brokers throughout the state could find themselves ineligible to work.

[...]

The state said only 14 percent of the licensed mortgage companies and 23 percent of the licensed mortgage company branches in the state have submitted applications.

Those who submit applications after December 31 could be forced to wait up to three months to have new applications approved.

Maybe it's just me, but there appears to be a severe morale problem in the mortgage brokerage business. Perhaps that's due to the fact that since the subprime meltdown in 2007 and the general economic collapse in the fall of 2008, the mortgage business has...how shall we put it delicately..."sucked." We don't mean "sucked" in the sense that you might inhale somewhat more vigorously after a brisk 10-minute walk to Starbucks. No, we mean "sucked" with force sufficient to draw a golf ball through six feet of garden hose.

The reason that mortgage brokers aren't re-taking educational tests or applying for a new license might just be that many of them have found other useful employment, such as asking me whether I'd like "fries with that" or "a blueberry scone to go with that latte." Perhaps I'm wrong, but I think these phenomena are due more to mortgage brokers having left the mortgage business in droves so they can earn a steady income than they are to some total ignorance of regulatory requirements or space aliens shooting their heads full of pellets that cause a sudden onset of Asperger's syndrome. If it turns out that, all of a sudden, the mortgage lending needs of Joe and Jane Sixpack are not being adequately served, we can always find some folks offshore, like the very polite and efficient customer service representative I spoke to yesterday on a technology problem and who identified himself, without cracking up once, as "Brandon" (but who definitely sounded more like "Mujibar") to fill in the gaps until our home-grown mortgage brokers get their collective act together again.

January 05, 2010

Experts consulted by Atlanta Business Chronicle reporter J. Scott Trubey tell like it too often is: small banks often wait too long to deal with problem commercial loans and, by the time they do finally address the problem loans, they lack the internal skill set to deal with them properly. Georgia is ground zero for this issue, with 30 banks in the state having already failed and with over a third of the state's banks under regulatory enforcement orders of some sort.

Small lenders, with limited personnel, often do not have talent with the depth of experience to handle the complexity and sheer volume of
problems the current financial crisis has thrown at them, experts say.

Some are turning instead to outside consultants who are resorting to
creative measures to salvage value out of busted real estate bets.

[...]

“What you’ll find with lenders is they’ll drag their feet and drag
their feet until their problems catch up to them,” said Joe Waites, a
bank consultant and partner with Minerva Consulting LLC. “[Small banks] don’t have the talent and in most cases they don’t have the right resources.”

Small banks by their nature are deeply embedded in their
communities. Often borrowers and bankers go to the same church or golf
club and their children play on the same soccer team. They need
independent, third parties to make the hard choices, while not breaking
those bonds.

“You can’t convert lenders into workout experts,” Waites said.
Lenders spend months and years building relationships with borrowers.
When the loan starts to sour, the bank itself may not see that the loan
is going south until it’s too late.

“Literally the losses get larger and larger,” Waites said.

As commercial real estate problems continue to worsen, the prospects are only going to get bleaker for those banks that play "wait and pray."

The next wave — commercial real estate — will also hit community banks that bet on retail centers and small office buildings.

According to industry sources, many banks have not been proactive
and engaging their borrowers to find workout solutions before problems
worsen.

This is one area where thinking you can handle whatever comes down the tracks may very well result in you being run over. Even if a community bank with problem commercial loans thinks it can weather the storm without hiring outside help, it might be worthwhile to talk to outside consultants who have a track record of dealing with troubled assets (there are a number of folks who gained much hard-earned expertise during the mid-60-late 1980s and early 1990s and who are still kicking) to see what they have to offer. At the very least, you will be able to say you considered hiring outside help to assist the bank in dealing with its problem loans and rejected that course of action for whatever logical business reasons might be relevant. That's better than facing your board and shareholders with the bank rapidly sliding down the hill into a bottomless pit and admitting (or being forced to admit) that you didn't explore all the alternatives.

Not every consultant will be able to add sufficient value, but it never hurts to turn over all the stones in sight.